The dangers of a single identity

I’m tired of juggling multiple user IDs and passwords on all the websites, computers, and apps I use every day. I’m sure you are too. I have five separate IDs and passwords for work, as many for services at home (from iTunes to my alarm-company ID), and about a dozen for banking, e-commerce, and business services I use via the Internet, from Amazon.com to my Web domain’s management console and FTP credentials. Granted, most people don’t have the last two, but there are too many versions of proving it’s me for me to remember.

Because the problem is common, the industry periodically goes into “one ID for all” thinking. A few years ago, RSA was hoping to furnish the authenticated single sign-on that all providers would use, sort of a DNS registry for identity. RSA’s effort failed because no one wanted to pay RSA an ID tax on each access or ID used. And having just one repository seemed quite scary: It’d be a great target for hackers. (Those fears were later justified by RSA’s failure to prevent its own SecurID system from being hacked.)

[ InfoWorld’s Galen Gruman advocates that users should be able to charge providers for access to their personal information. | Subscribe to InfoWorld’s Consumerization of IT newsletter today. ]

Today, the magic bullet is using OpenID or Facebook as a common sign-in across websites. OpenID has been around for years but hasn’t really gained traction. And the notion of trusting Facebook as a central repository would be laughable if not so scary: Facebook violates its users’ privacy routinely and shouldn’t be trusted with anything important.

But say there were a trusted entity you could use as your identity manager and validator, sort of like a Social Security number that websites could validate against. Shouldn’t we all adopt it?

Absolutely not.

Such systems are inherently dangerous. Fake and stolen Social Security numbers abound, for example. Any single ID would face the same abuse — and once your single identity is compromised, you’re screwed. You can no longer prove who you are. If you think recovering from identify theft is hard, wait until your single identity is compromised.

Plus, identity is much more than a username and password, biometric scan and password, or whatever system you want to use. Also, though we all may be individuals, we could have multiple personas. The “me” you read at InfoWorld is a persona for my role as a technology commentator. The “me” in my how-to books is different as well. The “me” my friends and family know is different. The “me” at my bank, Amazon, and iTunes are all different. The “me” at my insurer and my HMO is different. Yes, it’s the same me at the core, but each persona has a different purpose in the context it operates, so I tune it for that use.

For example, in my blog, I’m more extreme than I am when writing a how-to book or conducting an interview on stage — the goals of the venues differ, so my personas do too. Likewise, my LinkedIn profile is different from my Twitter profile, which would be different from my Google+ profile if Google’s algorithm hadn’t summarily closed it down or my Facebook profile (if I were foolish enough to have one). They’re for different purposes, so I tune who I am based on those purposes, just as we all do when at a work event, at a home party, on a bus, when interviewing for a job, and so on.

That’s just the personal side. By having different identities at my various services, I limit to the extent possible what each entity knows about me. My bank needs no information about my other bank accounts, much less my music purchases or where I shop. Yes, some of that information leaks across providers, and there’s a whole industry to discover and bring together the data so that providers can try to sell me more stuff or insurers can find ways to deny coverage. Some employers do that too to filter out candidates. The more online services we use — which is how the world is going — the more traces we leave for such discovery and collection.

Some services, such as Facebook and Google Now, even get people to sign in so that their activities can be explicitly tracked, creating a single profile across all those aspects of you. The promise is intelligent agents that will figure out what you want for you, but that convenience pales in comparison to the hold such services will have on you once they decide what you want — and cut you out of the decision completely. (The European Union gets this, even if the U.S. doesn’t.)

Fortunately, despite what you see in TV dramas like “CSI,” police agencies can’t quickly figure out your profile and whereabouts through computer searches, though they have forensics technology and access to credit card usage and cell phone records with minor effort. But as more of your aspects are cross-tabbed and federated through a common ID, the possibility of these police-state scenarios will increase — and it won’t be criminals alone who can be so easily monitored.

The heterogeneous nature of both our personas and the contexts in which we operate makes a single identity scary. The tendency is to collect all that in one place or at least provide a single key that opens them up. Yes, theoretically any such unified identity could create separate buckets that compartmentalize our aspects, even require explicit permission for services to open other buckets. But you know how that will work: Governments and service providers — who pay the bills, after all — will demand broader access “just in case.” You won’t be able to manage who you are to whom.

Even if you could, that’s a lot of explicit work few people will do. Just think how few people organize their email or address books or, say, the spare keys for their neighbors’ and friends’ houses. Forget about using the privacy settings on your computer or smartphone, whether or not they’re available. By default, everything will be open for exploitation, like at Facebook and Google Now, which count on users’ tendencies to share. Massive studies have shown they’re justified in those assurances.

I don’t have an answer to the problem of too many accounts and passwords. But I know that it is not a single identity.

This article, “The dangers of a single identity,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Smart User blog. For the latest business technology news, follow InfoWorld.com on Twitter.